In General Data Protection Regulation (GDPR) lingo, we take on the role of "data processor" and we abide by all the rules that follow from that. Because we can't tell when someone is sharing their shoe size or their most intimate secrets, we simply treat all message data as potentially "Personally Identifiable Information" and act accordingly.
Note that because we're a "data processor", our customers (that is, you) are still responsible for getting your user's permission for collecting said data (depending on your reading of the law, this is implicitly given by their choice to use your messaging feature, or you'll have to ask for explicit consent).
We recommend that you send us as little user data as possible. For example, do not send us a user's email address if you don't intend to use our email notification feature, do not send a phone number unless you want SMS notifications, and so on.
In line with GDPR principles, we do not collect or store any data that is not needed for providing a good cross-device messaging service. Notably, we don't "track" your users for marketing purposes. If a user files a "right to be forgotten" request, you can either use our REST API to irrevocably remove all their data, or ask us to do it for you.
Chapter 9 of our Terms of Service addresses all data processing and protection required aspects. So much so that an additional DPA should be deemed unnecessary.
That said, if your internal procedures and processes still require a signed DPA (its contents are identical to chapter 9 of our Terms of Service) from us to be GDPR compliant, then please download the full DPA document.
By default, we store all your data in the EU. See our data processors for an up-to-date list.